Slashdot Mirror

← Back to Stories (view on slashdot.org)

Yahoo Mail Resets Account Passwords After Attack

Posted by Soulskill on from the fallout-from-an-earlier-breach dept.

MAXOMENOS writes: "Last night Yahoo! announced via their Tumblr page that they had detected attacks against some Yahoo Mail accounts. They reset the passwords to all affected accounts, and advised users of good password practices. Quoting: 'Based on our current findings, the list of usernames and passwords that were used to execute the attack was likely collected from a third-party database compromise. We have no evidence that they were obtained directly from Yahoo's systems. Our ongoing investigation shows that malicious computer software used the list of usernames and passwords to access Yahoo Mail accounts. The information sought in the attack seems to be names and email addresses from the affected accounts' most recent sent emails.'"

17 of 96 comments (clear)

  1. The real news by Anonymous Coward · · Score: 5, Insightful

    The real news is that apparently, Yahoo Mail still exists.

    1. Re:The real news by CubicleZombie · · Score: 5, Interesting

      I've been using Yahoo mail since almost the beginning and still do.

      I changed my password as soon as I heard about this. Or, I tried to. Yahoo makes it so difficult to change your password that I actually had to go to Google and search for "How do I change my Yahoo password". Then once I figured out where to go (none of the links worked - I had to paste it from an answers.yahoo.com reply), the AJAXified page wouldn't work in Firefox on Linux, so I had to fire up my work PC and use IE.

      Unbelievable.

      While I was there, I deleted an old yahoo personals alias (also didn't work in Firefox - had to use IE), and then changed my backup email. But that didn't work either - the link in the confirmation email went to an error page.

      --
      :wq
    2. Re:The real news by Daniel+Hoffmann · · Score: 3, Insightful

      Yahoo mail was once the equivalent to gmail. It had very good UI, speed and storage for its day. All of this when many ISPs still charged for an email account. It is not surprising that many people still hold on to their yahoo mail accounts.

    3. Re:The real news by GIL_Dude · · Score: 2

      I actually got a text message the other day (purporting to be Yahoo - turns out it was them) saying that unusual activity had been seen on my account and they had disabled it until I went to the site on a PC. (I hardly ever use it - so this was a surprise - it is just a catch all for crap sites I may have to sign up for to keep them out of my "real" email). Anyway, I have two factor auth turned on (for Google, MS, and Yahoo) so I was surprised to see this. I guess they used the right password, but couldn't pass the two factor test. Just signing on to my account sent me to a special page saying there was unusual activity and having me input my password and a new password (once only; no "type it twice" thing). The new password had to meet some criteria and their regex or whatever they were using is broken beyond belief. It says it must be between 8 and 32 characters, have upper and lower case, and numbers. However, my old password met most of this already and was 8 chars (it was only missing the upper case character). Adding a "Y" to the end did not pass - because apparently that is not an upper case character. Neither is any other upper case character. It looks like they need all of the character types in the first 8 positions in order to accept it. Very poor coding and design on that page. I finally just had KeePass generate a random PW for me and used that.

      I think this is a "score one for two factor" moment - but the poor implementation of the "fix" on Yahoo's part was a turn off.

    4. Re:The real news by chispito · · Score: 2

      It has better spam filtering than gmail, and ten years ago, when I started using it, way better than hotmail. Also, it was a great place to play chess.

      --
      The Daddy casts sleep on the Baby. The Baby resists!
  2. password will not protect you by Anonymous Coward · · Score: 3, Informative

    advised users of good password practices

    Good password practices are pointless if the backend database is compromised. That's like adhering to the five second rule after dropping a donut in a dogpile.

  3. Re:WTF by Albanach · · Score: 5, Interesting

    Hashing passwords is pretty pointless unless they're also salted. Otherwise all the common and short passwords are as good as being in plain text.

    As for why a 3rd party had the passwords, I think Yahoo need to be quite a bit more forthcoming and explain this. Surely they are aware that their customers are going to be reusing passwords and that, by giving a third party these passwords they are also exposing their customer's accounts on numerous other sites?

  4. Happens at all ISPs by Anonymous Coward · · Score: 2, Informative

    I work for a large ISP and we regularly see our customers' accounts targeted when some other website leaks their user information and it includes email addresses on our network and passwords the attackers can guess will give them access. If we can get hold of the leaked data we can work out which accounts are at risk and either warn the customers or reset their authentication credentials before hand. Standard practice and good to see Yahoo is following it.

  5. Re:WTF by cdrudge · · Score: 2

    Maybe they were. As the Target security breach demonstrated, if you can intercept the information prior to it being hashed/encrypted, it's still usable.

    For an example, say a website's authentication process code is compromised. It works exactly the same as it always has been, but prior to hashing the supplied password to compare to the saved salted & hashed value (exactly the way it should be), an extra function call is made that saves the username and password to some data store (text file, remote database, emailed, whatever). While the website is still at fault as their code was compromised, it wasn't that the password database wasn't properly protected. They just used a different vector to get the information.

    Or, and probably much more likely, it was what you say. It was some crappy security on a website that saves that information in plain text...probably even in world accessible text file.

  6. Among the funny things ... by fidget · · Score: 5, Informative

    ... is why suddenly yahoo is making a show of caring.

    I have a four-letter yahoo account (not that kind of four-letter word...) from waaaaay back in the day. It was something I maintained for about two decades for plausible deniability... a cut-out.

    SCORES of people have tries to hack it. A couple have succeeded, but not since I switched it to a 32-character mixed-case-and-special password. Still, they try at the rate of about 3 a week (that I *see* via attempted password-reset manipulations, 2-factor authentication change attempts, etc).

    But ... I have received about 10 emails from folks who wanted to 'own' the email address. And -- I think -- because I didn't acquiesce, I have received hundreds of thousands of spam emails in the intervening time. They've submitted my email to stupid dating sites in French, German, Thai, Spanish, Tamil and most recently Hebrew. Hell, I got 1000+ emails/day from ONE SITE for a few days, about a week ago.

    There's been phishing, spear-phishing based on the pseudo-identity hosted there, blind newsletter sign-up. Every kind of crap you can imagine, and several more.

    And every step of the way, I reported the infringements, the spamming, the users who have a variant of the name (e.g. foo2525 instead of foo): to the spam-handlers and to the variant-users.

    And yahoo has never given a shit. Not once. Period. IMHO, 'cause it was one account-holder. But I've kept it anyway -- since it's a great cut-out. And I'll continue to do so. Yahoo is a joke; has been for many years now. Sometimes... that's its value. It's a great example of what NOT to do, and it's a great revealer of the seedy underbelly of the 'net.

    http://demotivators.despair.co...

    1. Re:Among the funny things ... by DerekLyons · · Score: 2

      And yahoo has never given a shit. Not once. Period. IMHO, 'cause it was one account-holder.

      And frankly, that's as it should be. If you lucked into an especially desirable account name, it's not Yahoo!'s responsibility to keep people who want to buy it away from you. And reporting people who have a variant? Seriously? Unless it's a trademark or copyright issue, you have precisely zero leg to stand on. Yahoo! isn't responsible for your sense of self entitlement.

      Meanwhile, I've had a Yahoo! account for decades now with no problems at all.

  7. Last night's spam email was probably the cause by cjmnews · · Score: 4, Informative

    A spam email that went to the Inbox stating that Yahoo! was going to close all inactive accounts if you did not click on this link and log in was probably how the attacker got the passwords. The link went to one of those off-shore URLs that we should all avoid.

    Phishing is still alive and well.

    And there are a lot of gullible people to phish for.

    --
    You can lose something that is loose, so tighten the loose item so you don't lose it.
  8. Tumblr? by Clyde+Machine · · Score: 2

    "Yahoo! announced via their Tumblr page"


    Really? This is how businesses are delivering their security announcements?

  9. Re:WTF by sl4shd0rk · · Score: 4, Insightful

    As for why a 3rd party had the passwords, I think Yahoo need to be quite a bit more forthcoming and explain this.

    Quite feasible that yahoo had nothing to do with it:
    Jimbob creates account on somecrackablesite.com using jimbob@yahoo.com email address. somecrackablesite.com gets cracked and attacker gets DB dump which contains username/email/pass for jimbob. Attacker assumes jimbob used same password for both sites and gains access to yahoo account. This is why using the same password for multiple sites is a big no-no.

    --
    Join the Slashcott! Feb 10 thru Feb 17!
  10. My Soapbox! by Anonymous Coward · · Score: 3, Interesting

    I manage mail servers for a mid sized company, and Yahoo can kiss my ass! Their IP ranking system is stupid and they won't change it, which fucks any smaller ISP hosting multiple domains on a single IP. If we have a company get a mailbox compromised from domainx, yahoo blocks all mail from the IP instead of the domain so everyone else is screwed. Even when we lock the account, yahoo has no method of unblocking.

    To make things 10 times worse, their mail interface has a big ole "SPAM" button which allows users to delete mail in a single click where their "Delete" button requests confirmation. Users tend to use the SPAM button because it's easier to delete messages, and not obvious that they are actually reporting the person as a spammer to Yahoo who again fucks the ISP by blocking their mail. After years of complaints from companies, if you use FireFox you will see a button that says "Report Spam", but IE still just shows "Spam".

    Yahoo of course does not give a shit and won't add a confirmation to that "spam" button to let users know they are reporting a server for "spam" and not simply deleting a message.

    And look, I absolutely hate spam. I would not work for a company that sends spam and think they are as useful to society as telemarketers. Yahoo just sucks at doing anything worthy to reduce spam. Their IP ranking system has been broken and complained about since it came out, but since it's cheep for them to use they continue with the broken program and don't care that this harms their user base more than it saves them money trying to fight spam.

    1. RE: My Soapbox! by Anonymous Coward · · Score: 2, Interesting

      I used to work for a student loan servicer - who only sent emails for things like account notifications, ACH withdrawal notifications, etc. We'd have to fight our way off of Yahoo blacklists two or three times in the five years I was there. Yahoo's "spam" management is a common problem for admins hosting mail services.

  11. Re:WTF by jones_supa · · Score: 3, Insightful

    This is why using the same password for multiple sites is a big no-no.

    And flipping that around a bit, it is also a security risk as so many sites allow a password reminder through e-mail. If someone cracks only your e-mail, he can just send these reminder requests around the web and get access to various sites.